U.S. Secret Service: Best Practices For Seizing Electronic Evidence

A Pocket Guide for First Responders

There are general principles to follow when responding to any crime scene in which computers and electronic technology may be involved. Several of those principles are as follows:

Officer safety – secure the scene and make it safe.

If you reasonably believe that the computer is involved in the crime you are investigating, take immediate steps to preserve the evidence.

Do you have a legal basis to seize this computer (plain view, search warrant, consent, etc.)?

Do not access any computer files. If the computer is off, leave it off.
If it is on, do not start searching through the computer.

If the computer is on, go to the appropriate sections in this guide on
how to properly shut down the computer and prepare it for
transportation as evidence.

If you reasonably believe that the computer is destroying evidence,
immediately shut down the computer by pulling the power cord from
the back of the computer.

If a camera is available, and the computer is on, take pictures of the
computer screen. If the computer is off, take pictures of the
computer, the location of the computer and any electronic media
attached.

This guide assumes that the patrol patrol officer, detective or investigator is
legally present at a crime scene or other location and has the legal authority to
seize the computer, hardware, software or electronic media.

If you have a reason to believe that you are not legally present at the location or
the individual (suspect or victim) does not have the legal ability to grant consent
then immediately contact the appropriate legal counsel in your jurisdiction.

PLAIN VIEW

The plain view exception to the warrant requirement only gives the legal authority
to SEIZE a computer, hardware, software and electronic media, but does NOT
give the legal authority to conduct a SEARCH of this same listed electronic
media.

CONSENT

When obtaining consent, be certain that your document has language specific to
both the seizure and the future forensic examination of the computer hardware,
software, electronic media and data by a trained computer forensic examiner or
analyst.

If your department or agency has a consent form relevant to computer or
electronic media and its analysis by a computer forensic examiner, it should be
used. If you do not have a form and are drafting a consent form, consult with
your District Attorney, State Prosecutor or Assistant United States Attorney for
advice regarding proper language and documentation.

SEARCH WARRANT

Search warrants allow for the search and seizure of electronic evidence as
predefined under the warrant. This method is the most preferred and is
consistently met with the least resistance both at the scene and in a court of law.
Search warrants for electronic storage devices typically focus on two primary
sources of information:

Victim Questions:
• Has the victim been on-line in any chat rooms?
• Does the victim use the internet, e-mail or chat from any other computers? If so,
at what locations?
• Did the victim provide any information to anyone on line regarding their true
name, age and location?
• What is the victim’s e-mail address or on-line chat room name?
• Who is on the victim’s “buddy list” in chat rooms?
• Does the victim save / archive chat room logs?
• What type of chat / e-mail client does the victim use?
• What were the specific sexual acts observed in the images or the electronic
communications?
• Has the victim received any pictures or gifts from the suspect?
Suspect / Target Questions:
• Where are all of the suspect’s computers?
• Does the suspect remotely store data (external hard drive, on-line storage, etc)?
• What is the suspect’s on-line identity or chat room name?
• Has the suspect electronically communicated with any person?
• How does the suspect communicate with other persons? (chat, e-mails, etc.)
• Has the suspect viewed any child pornography using the computer? If so, how
did the suspect obtain the child pornography?
• Did the suspect send child pornography to any other person in the suspect’s state
or in another state?
• Did the suspect realize that they were viewing images of children as opposed to
computer generated images of children?

Intrusions / Hacking: (Network Questions)

Home Networks
• Can you physically trace all of the network cables back to their respective
computers?
• Can each computer be associated to an individual user?
• Is the network connected to the internet?
• How is the network connected to the internet (DSL, Cable, Dial-up, etc)?
• Where is the DSL / cable modem located? Is it currently connected?
• Who is the internet service provider (ISP)?
• Is there more than one computer that can connect to the internet?
• Is there any wireless networking in place?

INVESTIGATIVE QUESTIONS

Business Networks
• Who first observed the illegal activity?
• Obtain the type of illegal activity and contact information for all witnesses.
• Identify the network administrator and obtain contact information. (The network
administrator should not be contacted by the first responder.)
• Are any employees / former employees considered to be a suspect?
• Is there a printed diagram of the network available?
• Are computer logs being maintained?
• Can the computer logs be immediately secured for further investigation?
• Have any other law enforcement agencies been contacted?

Crimes Involving E-Mails

Victim Questions:
• Identify victim e-mail addresses and internet service provider (ISP) information.
• Identify all usernames and e-mail accounts used by the victim.
• Obtain any printed copies of e-mails that the victim has received. Do not turn on
the computer to print e-mails.

Victim Questions:
• Ask if the victim had logging or archiving activated during chat sessions.
• Identify the victim’s online screen name and e-mail addresses.
• Obtain copies of any material the victim has already printed.
• What type of software / chat client is used by the victim?

Suspect/Target Questions:
• Identify the suspect’s online screen name and e-mail addresses.
• Obtain all passwords and associated software / usernames used by the suspect.